Unconstrained Fund Allocations Leading to Insolvency Risk
Unconstrained Fund Allocations Leading to Insolvency Risk
Description:
The allocateFunds function allows an allocator to assign any amount to a recipient without checking the treasury’s actual balance (_balances) or total value (_totalValue). There’s no enforcement to ensure that the sum of allocations doesn’t exceed available funds.
Affected Code:
Impact:
An allocator could allocate 1,000 tokens when the treasury only holds 500, creating an expectation of funds that cannot be fulfilled.
If managers withdraw funds without regard to allocations, the treasury could become insolvent, unable to honor allocated amounts.
Example Scenario:
Treasury has 1,000 tokens.
Allocator A allocates 800 tokens to Recipient X.
Manager withdraws 600 tokens (allowed since
_balances[token] >= 600).Only 400 tokens remain, but 800 are allocated—insolvency occurs.
Recommendation:
-
Track the total allocated amount per token and enforce a limit. Add a new mapping:
mapping(address => uint256) private _totalAllocated; // Token => total allocated amount -
Update
allocateFundsto check:uint256 newAllocation = _allocations[msg.sender][recipient] + amount;if (_totalAllocated[token] + newAllocation > _balances[token]) revert InsufficientFunds();_totalAllocated[token] += newAllocation;_allocations[msg.sender][recipient] = amount; -
Adjust
_totalAllocatedinwithdrawto prevent over-withdrawal.
Lead Judging Commences
Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.